I am trying to use nuxt for my app, but when I run "yarn audit", there are some audit issues which are dependencies of nuxt.
Do I have to fix these audit issues? And if I have to, how can I fix it?
I am using nuxt 2.15.7 and I added the latest css-what but it didn't changed.
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular expression denial of service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nuxt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nuxt > #nuxt/builder > #nuxt/webpack > webpack > watchpack > │
│ │ watchpack-chokidar2 > chokidar > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1751 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Regular expression denial of service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nuxt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nuxt > #nuxt/webpack > webpack > watchpack > │
│ │ watchpack-chokidar2 > chokidar > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1751 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nuxt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nuxt > #nuxt/builder > #nuxt/webpack > cssnano > │
│ │ cssnano-preset-default > postcss-svgo > svgo > css-select > │
│ │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1754 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nuxt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nuxt > #nuxt/webpack > cssnano > cssnano-preset-default > │
│ │ postcss-svgo > svgo > css-select > css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1754 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nuxt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nuxt > #nuxt/builder > #nuxt/webpack > │
│ │ optimize-css-assets-webpack-plugin > cssnano > │
│ │ cssnano-preset-default > postcss-svgo > svgo > css-select > │
│ │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1754 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nuxt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nuxt > #nuxt/webpack > optimize-css-assets-webpack-plugin > │
│ │ cssnano > cssnano-preset-default > postcss-svgo > svgo > │
│ │ css-select > css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1754 │
└───────────────┴──────────────────────────────────────────────────────────────┘
6 vulnerabilities found - Packages audited: 1199
Severity: 2 Moderate | 4 High
Done in 1.67s.
$yarn list --pattern css-what
yarn list v1.22.10
├─ css-what#5.0.1
└─ svgo#1.3.2
└─ css-what#3.4.2
Since the severity is moderate/high and it's a Denial of Service, you don't really have to worry about it. In case of big huge critical one, the Internet, Github and your colleagues will alert you.
As of fixing it, there is no yarn audit fix as in npm, but we can use npm just to fix those or do fix those manually with Yarn, here is a nice article on how to achieve this: https://javascriptbit.com/yarn-audit-fix-security-issues/
Related
I have workspaces configured and working.
When I install from the root, sometimes packages are installed in the root and sometimes they are installed in the workspace node_modules.
When and how does NPM choose to install a package at the root/node_modules vs a workspace/node_modules?
It turns out, when two packages rely on the same module with a compatible version number in the dependencies, npm (with workspaces) will install the package only in root/node_modules. Otherwise, it will install in the node_modules of package(s).
In this example the same react-dom version is shared between packages:
customer-ui#1.0.0 /home/ubuntu/name/customer-ui
├─┬ components#0.15.0 -> ./packages/components
│ ├─┬ react-cosmos#5.7.2
│ │ └─┬ react-cosmos-shared2#5.7.1
│ │ └─┬ react-element-to-jsx-string#14.3.4
│ │ └── react-dom#17.0.2 deduped
│ ├── react-dom#17.0.2
│ ├─┬ react-modal#3.15.1
│ │ └── react-dom#17.0.2 deduped
│ ├─┬ react-to-print#2.14.7
│ │ └── react-dom#17.0.2 deduped
│ └─┬ styled-components#5.3.5
│ └── react-dom#17.0.2 deduped
└─┬ embedded#0.1.0 -> ./packages/embedded
└── react-dom#17.0.2 deduped
And npm installed it only in the root/node_modules dir:
❯ ls node_modules/react-dom
LICENSE build-info.json index.js profiling.js server.js test-utils.js
README.md cjs package.json server.browser.js server.node.js umd
❯ ls packages/embedded/node_modules/react-dom
ls: cannot access 'packages/embedded/node_modules/react-dom': No such file or directory
❯ ls packages/components/node_modules/react-dom
ls: cannot access 'packages/components/node_modules/react-dom': No such file or directory
However, for a package with incompatible version between packages, it's different:
❯ npm ls argparse
customer-ui#1.0.0 /home/ubuntu/name/customer-ui
├─┬ #components#0.15.0 -> ./packages/components
│ └─┬ eslint#8.17.0
│ └─┬ js-yaml#4.1.0
│ └── argparse#2.0.1
└─┬ embedded#0.1.0 -> ./packages/embedded
├─┬ eslint#6.8.0
│ └─┬ js-yaml#3.14.1
│ └── argparse#1.0.10
├─┬ jest-preset-preact#4.0.5
│ └─┬ babel-jest#27.5.1
│ └─┬ babel-plugin-istanbul#6.1.1
│ └─┬ #istanbuljs/load-nyc-config#1.1.0
│ └─┬ js-yaml#3.14.1
│ └── argparse#1.0.10
└─┬ microbundle#0.12.4
├─┬ cssnano#4.1.11
│ ├─┬ cosmiconfig#5.2.1
│ │ └─┬ js-yaml#3.14.1
│ │ └── argparse#1.0.10
│ └─┬ cssnano-preset-default#4.0.8
│ └─┬ postcss-svgo#4.0.3
│ └─┬ svgo#1.3.2
│ └─┬ js-yaml#3.14.1
│ └── argparse#1.0.10
└─┬ rollup-plugin-postcss#2.9.0
└─┬ postcss-load-config#2.1.2
└─┬ cosmiconfig#5.2.1
└─┬ js-yaml#3.14.1
└── argparse#1.0.10
embedded package demands argparse#1.0.10 and embedded demands argparse#2.0.1.
For these, npm installs them in multiple places:
❯ ls node_modules/argparse
CHANGELOG.md LICENSE README.md argparse.js lib package.json
❯ ls packages/components/argparse
ls: cannot access 'packages/components/argparse': No such file or directory
❯ ls packages/embedded/node_modules/argparse
CHANGELOG.md LICENSE README.md index.js lib package.json
In case it helps, this is a snippet of root/package.json:
{
"name": "customer-ui",
"version": "1.0.0",
"workspaces": [
"packages/*"
]
}
Thanks to #Stf_F for answering this in the comment above.
When I run npm install it says found 1596 vulnerabilities (20 low, 51 moderate, 1525 high)
run npm audit fix to fix them, or npm audit for details
When I run npm audit it gives me a list of tables, similar to this:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary Code Execution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ underscore │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.12.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ #alch/alchemy-web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ #alch/alchemy-web3 > web3 > web3-shh > web3-net > │
│ │ web3-core-method > underscore │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1674 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hosted-git-info │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.8.9 <3.0.0 || >=3.0.8 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ latest │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ latest > npm > npm-registry-client > normalize-package-data │
│ │ > hosted-git-info │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1677 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Remote Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ request │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.68.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ version │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ version > request │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/309 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ ReDoS │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ brace-expansion │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.1.7 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ latest │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ latest > npm > fs-vacuum > rimraf > glob > minimatch > │
│ │ brace-expansion │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/338 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ latest │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ latest > npm > node-gyp > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Insecure Credential Storage │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ #alch/alchemy-web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ #alch/alchemy-web3 > web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/877 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Had raised this to Alchemy as their #alch/alchemy-web3 latest package dependency was not upgraded to use the patched version of "Underscore".
They did a quick upgrade and it's fixed now as of 7 hours ago at #alch/alchemy-web3 on version "^1.0,3";
Please run npm update #alch/alchemy-web3
How should I fix the vulnerabilities below that require manual review ?
$ npm --version
6.9.0
$ npm audit fix
up to date in 7.044s
fixed 0 of 4 vulnerabilities in 31604 scanned packages
4 vulnerabilities required manual review and could not be updated
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libnpm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 high severity vulnerabilities in 31604 scanned packages
4 vulnerabilities require manual review. See the full report for details.
You need to upgrade the tar package to version 4.4.2 or later.
This issue solution yet to be release.Many PR open on github regarding the issue.But try this may it helps:
npm install -D node-gyp
npm install -D tar#">4.4.7"
For more details check here.
This issue also raised here.
Attempt to fix this issue.
This might be fixed by 10th May,2019.
Check here for more details on it.
It said,
found 4 high severity vulnerabilities in 891002 scanned packages
4 vulnerabilities require manual review. See the full report for details.
how to make 0 vulnerabilities?
I also do "npm audit fix" and I put "--force", but it didn't work.
and,
when I do "npm audit",
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libnpm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
And I'm using at react & electron.
when I installed font awesome, this error appeared.
So, I removed the font awesome, but it didn't change anything
I had the same problem with my ionic project.
This Link Helped me to get rid this.
In package-lock.json replace the following section
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
with
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
Then run
sudo rm -fr node_modules
and
npm install
By following this method I got rid of the warnings.
Hope this works for you!
for whatever packages you are getting vulnerabilities, change package version inside package-lock.json to the recommended version, remove node_modules and run npm i.
for fstream for e.g :
in package-lock.json from:
"fstream": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/fstream/-/fstream-1.0.1.tgz",
"integrity": "sha512-WvJ193OHa0GHPEL+AycEJgxvBEwyfRkN1vhjca23OaPVMCaLCXTd5qAu82AjTcgP1UJmytkOKb63Ypde7raDIg=="
}
to:
"fstream": {
"version": "1.0.12",
"resolved": "https://registry.npmjs.org/fstream/-/fstream-1.0.12.tgz",
"integrity": "sha512-WvJ193OHa0GHPEL+AycEJgxvBEwyfRkN1vhjca23OaPVMCaLCXTd5qAu82AjTcgP1UJmytkOKb63Ypde7raDIg=="
}
delete node_modules:
rm node_modules
then:
npm i
i'm creating new reactjs application using npx create-react-app my-react.
everything goes well but when list local modules in my-react folder using npm ls --depth=0 there are some missing errors from npm :
my-react#0.1.0 /tmp/my-react
├── react#16.6.3
├── react-dom#16.6.3
└── react-scripts#2.1.1
npm ERR! missing: mkdirp#0.5.1, required by node-pre-gyp#0.10.0
npm ERR! missing: minimist#0.0.8, required by mkdirp#0.5.1
npm ERR! missing: minimatch#3.0.4, required by ignore-walk#3.0.1
npm ERR! missing: brace-expansion#1.1.11, required by minimatch#3.0.4
npm ERR! missing: balanced-match#1.0.0, required by brace-expansion#1.1.11
npm ERR! missing: concat-map#0.0.1, required by brace-expansion#1.1.11
npm ERR! missing: console-control-strings#1.1.0, required by npmlog#4.1.2
npm ERR! missing: inherits#2.0.3, required by readable-stream#2.3.6
npm ERR! missing: safe-buffer#5.1.1, required by readable-stream#2.3.6
npm ERR! missing: safe-buffer#5.1.1, required by string_decoder#1.1.1
npm ERR! missing: console-control-strings#1.1.0, required by gauge#2.7.4
npm ERR! missing: string-width#1.0.2, required by gauge#2.7.4
npm ERR! missing: strip-ansi#3.0.1, required by gauge#2.7.4
npm ERR! missing: code-point-at#1.1.0, required by string-width#1.0.2
npm ERR! missing: is-fullwidth-code-point#1.0.0, required by string-width#1.0.2
npm ERR! missing: strip-ansi#3.0.1, required by string-width#1.0.2
npm ERR! missing: number-is-nan#1.0.1, required by is-fullwidth-code-point#1.0.0
npm ERR! missing: ansi-regex#2.1.1, required by strip-ansi#3.0.1
npm ERR! missing: string-width#1.0.2, required by wide-align#1.1.2
npm ERR! missing: inherits#2.0.3, required by glob#7.1.2
npm ERR! missing: minimatch#3.0.4, required by glob#7.1.2
npm ERR! missing: once#1.4.0, required by glob#7.1.2
npm ERR! missing: once#1.4.0, required by inflight#1.0.6
npm ERR! missing: wrappy#1.0.2, required by inflight#1.0.6
npm ERR! missing: wrappy#1.0.2, required by once#1.4.0
npm ERR! missing: minipass#2.2.4, required by tar#4.4.1
npm ERR! missing: mkdirp#0.5.1, required by tar#4.4.1
npm ERR! missing: safe-buffer#5.1.1, required by tar#4.4.1
npm ERR! missing: yallist#3.0.2, required by tar#4.4.1
npm ERR! missing: minipass#2.2.4, required by fs-minipass#1.2.5
npm ERR! missing: safe-buffer#5.1.1, required by minipass#2.2.4
npm ERR! missing: yallist#3.0.2, required by minipass#2.2.4
npm ERR! missing: minipass#2.2.4, required by minizlib#1.1.0
I just ran into this as well, and did some looking. It seems to be an issue with the current way npm handles Optional Dependencies. If you do a full npm list, you'll find the culprit is fsevents.
UNMET OPTIONAL DEPENDENCY fsevents#1.2.4
│ ├── UNMET OPTIONAL DEPENDENCY nan#2.12.1
│ └─┬ UNMET OPTIONAL DEPENDENCY node-pre-gyp#0.10.0
│ ├── UNMET OPTIONAL DEPENDENCY detect-libc#1.0.3
│ ├─┬ UNMET DEPENDENCY mkdirp#0.5.1
│ │ └── UNMET DEPENDENCY minimist#0.0.8
│ ├─┬ UNMET OPTIONAL DEPENDENCY needle#2.2.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY debug#2.6.9
│ │ │ └── UNMET OPTIONAL DEPENDENCY ms#2.0.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY iconv-lite#0.4.21
│ │ │ └── UNMET OPTIONAL DEPENDENCY safer-buffer#2.1.2
│ │ └── UNMET OPTIONAL DEPENDENCY sax#1.2.4
│ ├─┬ UNMET OPTIONAL DEPENDENCY nopt#4.0.1
│ │ ├── UNMET OPTIONAL DEPENDENCY abbrev#1.1.1
│ │ └─┬ UNMET OPTIONAL DEPENDENCY osenv#0.1.5
│ │ ├── UNMET OPTIONAL DEPENDENCY os-homedir#1.0.2
│ │ └── UNMET OPTIONAL DEPENDENCY os-tmpdir#1.0.2
│ ├─┬ UNMET OPTIONAL DEPENDENCY npm-packlist#1.1.10
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY ignore-walk#3.0.1
│ │ │ └─┬ UNMET DEPENDENCY minimatch#3.0.4
│ │ │ └─┬ UNMET DEPENDENCY brace-expansion#1.1.11
│ │ │ ├── UNMET DEPENDENCY balanced-match#1.0.0
│ │ │ └── UNMET DEPENDENCY concat-map#0.0.1
│ │ └── UNMET OPTIONAL DEPENDENCY npm-bundled#1.0.3
│ ├─┬ UNMET OPTIONAL DEPENDENCY npmlog#4.1.2
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY are-we-there-yet#1.1.4
│ │ │ ├── UNMET OPTIONAL DEPENDENCY delegates#1.0.0
│ │ │ └─┬ UNMET OPTIONAL DEPENDENCY readable-stream#2.3.6
│ │ │ ├── UNMET OPTIONAL DEPENDENCY core-util-is#1.0.2
│ │ │ ├── UNMET DEPENDENCY inherits#2.0.3
│ │ │ ├── UNMET OPTIONAL DEPENDENCY isarray#1.0.0
│ │ │ ├── UNMET OPTIONAL DEPENDENCY process-nextick-args#2.0.0
│ │ │ ├── UNMET DEPENDENCY safe-buffer#5.1.1
│ │ │ ├─┬ UNMET OPTIONAL DEPENDENCY string_decoder#1.1.1
│ │ │ │ └── UNMET DEPENDENCY safe-buffer#5.1.1
│ │ │ └── UNMET OPTIONAL DEPENDENCY util-deprecate#1.0.2
│ │ ├── UNMET DEPENDENCY console-control-strings#1.1.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY gauge#2.7.4
│ │ │ ├── UNMET OPTIONAL DEPENDENCY aproba#1.2.0
│ │ │ ├── UNMET DEPENDENCY console-control-strings#1.1.0
│ │ │ ├── UNMET OPTIONAL DEPENDENCY has-unicode#2.0.1
│ │ │ ├── UNMET OPTIONAL DEPENDENCY object-assign#4.1.1
│ │ │ ├── UNMET OPTIONAL DEPENDENCY signal-exit#3.0.2
│ │ │ ├─┬ UNMET DEPENDENCY string-width#1.0.2
│ │ │ │ ├── UNMET DEPENDENCY code-point-at#1.1.0
│ │ │ │ ├─┬ UNMET DEPENDENCY is-fullwidth-code-point#1.0.0
│ │ │ │ │ └── UNMET DEPENDENCY number-is-nan#1.0.1
│ │ │ │ └── UNMET DEPENDENCY strip-ansi#3.0.1
│ │ │ ├─┬ UNMET DEPENDENCY strip-ansi#3.0.1
│ │ │ │ └── UNMET DEPENDENCY ansi-regex#2.1.1
│ │ │ └─┬ UNMET OPTIONAL DEPENDENCY wide-align#1.1.2
│ │ │ └── UNMET DEPENDENCY string-width#1.0.2
│ │ └── UNMET OPTIONAL DEPENDENCY set-blocking#2.0.0
│ ├─┬ UNMET OPTIONAL DEPENDENCY rc#1.2.7
│ │ ├── UNMET OPTIONAL DEPENDENCY deep-extend#0.5.1
│ │ ├── UNMET OPTIONAL DEPENDENCY ini#1.3.5
│ │ ├── UNMET OPTIONAL DEPENDENCY minimist#1.2.0
│ │ └── UNMET OPTIONAL DEPENDENCY strip-json-comments#2.0.1
│ ├─┬ UNMET OPTIONAL DEPENDENCY rimraf#2.6.2
│ │ └─┬ UNMET OPTIONAL DEPENDENCY glob#7.1.2
│ │ ├── UNMET OPTIONAL DEPENDENCY fs.realpath#1.0.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY inflight#1.0.6
│ │ │ ├── UNMET DEPENDENCY once#1.4.0
│ │ │ └── UNMET DEPENDENCY wrappy#1.0.2
│ │ ├── UNMET DEPENDENCY inherits#2.0.3
│ │ ├── UNMET DEPENDENCY minimatch#3.0.4
│ │ ├─┬ UNMET DEPENDENCY once#1.4.0
│ │ │ └── UNMET DEPENDENCY wrappy#1.0.2
│ │ └── UNMET OPTIONAL DEPENDENCY path-is-absolute#1.0.1
│ ├── UNMET OPTIONAL DEPENDENCY semver#5.5.0
│ └─┬ UNMET OPTIONAL DEPENDENCY tar#4.4.1
│ ├── UNMET OPTIONAL DEPENDENCY chownr#1.0.1
│ ├─┬ UNMET OPTIONAL DEPENDENCY fs-minipass#1.2.5
│ │ └── UNMET DEPENDENCY minipass#2.2.4
│ ├─┬ UNMET DEPENDENCY minipass#2.2.4
│ │ ├── UNMET DEPENDENCY safe-buffer#5.1.1
│ │ └── UNMET DEPENDENCY yallist#3.0.2
│ ├─┬ UNMET OPTIONAL DEPENDENCY minizlib#1.1.0
│ │ └── UNMET DEPENDENCY minipass#2.2.4
│ ├── UNMET DEPENDENCY mkdirp#0.5.1
│ ├── UNMET DEPENDENCY safe-buffer#5.1.1
│ └── UNMET DEPENDENCY yallist#3.0.2
fsevents (https://www.npmjs.com/package/fsevents) states that it is only needed for the OS X operating system, so if you're on Linux for example, npm doesn't install it, but then also reports that as an error (?). The behavior is confusing. But it should stay in package.json because if someone installs your code on a mac, fsevents would be needed.
There was a PR for this against the npm repository to turn the platform dependency logs down to info, but it seems to have gotten abandoned when the devs switched npm to a new repo :\
For now, you can safely ignore it (and hopefully get your build system to ignore it as well), or switch to yarn.